Authorities in charge of current systems for preventing cyber attacks on Britain’s banks are ‘catastrophically inadequate’, according to the MP who chairs the Treasury Select Committee.
Andrew Tyrie MP has written to the Chancellor of Exchequer Philip Hammond expressing strongly-worded concerns about the current processes for preventing attacks on UK financial services.
Amongst his concerns Mr Tyrie highlighted the lack of clarity on who is ultimately responsible in the current hierarchy, labelling it as a ‘headless framework’.
Cyber attacks against companies in the financial sector have been on the rise in recent years, with 75 attacks being reported to the Financial Conduct Authority (FCA) in 2016, compared to just 5 two years before.
With the cost to global consumers estimated at £8bn in 2016, cyber attacks are one of the most dangerous threats to the financial sector today, and one Mr Tyrie warns the UK is not currently prepared for under current systems.
At present the FCA, Prudential Regulation Authority (PRA), the cabinet office, GCHQ’s National Cyber Security Centre and the National Crime Agency all co-ordinate their investigations with support from what the Chancellor calls ‘a deputy director and working level groups’.
But in his letter Mr Tyrie asked: “But who is in charge? Is it the director or does the framework take precedence? Who is he or she? A headless framework scarcely inspires confidence.
“That sounds perilously resonant of the catastrophically inadequate and headless tripartite authorities, supposedly set up to monitor system risk in banking in 1997.
“The problem with such committees and frameworks is that all too often they only get the attention they deserve after a crisis – when it’s too late.
“This must not be permitted to happen in the case of financial cyber risk.”
As recently as January this year the FCA handed out its largest ever penalty for anti-money laundering failures, fining Deutsche Bank more than £163m for exposing ‘the UK financial system to the risks of financial crime’.
Previous fines for security failings topped £50m in 2014 when the FCA and PRA fined RBS a combined £56m for IT failures following a software upgrade.
To date the UK’s major banks have together accumulated over £250bn in misconduct charges since 2011, according to the CCP Research Foundation.
Making up the majority of these fees and charges are refund provisions allocated to the mis-selling of Payment Protection Insurance (PPI).
It is estimated that £50bn worth of PPI policies were sold in total in the UK over the past 10-15 years and figures from the Financial Conduct Authority (FCA) show almost half that amount still remains unclaimed.
The FCA confirmed a deadline on all new PPI claims for August 2019 earlier this month in an attempt to bring an end to the mis-selling scandal, despite concerns from some commentators that many people would miss out on their chance to claim.